In light of the growing threat, banks need to require their customers to use biometric authentication for mobile banking and help them to install technologies that can detect the presence of malware on mobile devices, some security experts advise.

"Mobile malware in general should be of concern to financial institutions," says financial fraud expert Julie Conroy, research director at the consultancy Aite. "As the mobile channel continues to grow - JPMorgan Chase's earnings announcement [Jan. 14] said their mobile bankers had grown 20 percent year-over-year to 23 million - criminals are following the money. We're seeing not only the number of strains of mobile malware increase, but also the portion of them that are malicious. I'm speaking with many banks that are actively working on deploying technologies that can shield mobile banking sessions from malware."

FireEye: Android Devices Targeted

Last month, FireEye published a report about the SlemBunk malware strain, which is designed to attack Android devices and steal mobile banking login credentials. At the time the report was published, FireEye had identified 170 SlemBunk samples in the wild that targeted users of more than 30 mobile banking applications. Attacks were identified in North America, Europe, and Asia Pacific.

In an update provided in a Jan. 13 blog, FireEye says SlemBunk's attack chain is much longer than originally reported. Three malicious mobile apps have to be downloaded before the attack is complete, the firm says. That makes it much more difficult for analysts and researchers to trace these attacks back to their origin. "Thus, the malware can have a more persistent existence on the victim's device," FireEye adds.

"Those Trojan apps masquerade as common, popular applications and stay incognito after running for the first time," FireEye said in its Dec. 17 report. "They have the ability to phish for and harvest authentication credentials when specified banking apps are launched."

Jimmy Su, senior staff software development engineer at FireEye, says SlemBunk's capabilities have become far more sophisticated. "Both obfuscation and the distribution channel have become more sophisticated in the past two to three weeks," he says. "The technique can be used to target any bank or credit union that has its own mobile app. Minimal amount of code changes are needed to target a new bank or credit union."

To help minimize those emerging risks, Su recommends that banking institutions implement two-factor authentication for mobile and online-banking, provide or suggest mobile threat prevention services to their customers and use location and Internet protocol information to identify anomalies in users' log-in behavior for mobile and online banking.

More Mobile Attacks on Way

Consumers' use of mobile banking surpassed in-branch banking for the first time in 2015, proving that mobile is increasingly users' preferred banking channel, says Al Pascual, senior vice present and research director at Javelin Strategy & Research .

"Banking malware will only become more popular in the mobile space as it becomes consumers' channel of choice," Pascual says. "SlemBunk's focus on gleaning credentials should incite banks to move more quickly toward instituting biometric authentication in the mobile channel, as well as to bolster their online authentication to prevent effective misuse of any data compromised from a mobile banking session.

"We continue to have problems with banking malware and passwords, and now that has migrated to the mobile channel. At this point, everyone knows the lesson; it's just a question of deciding to act on it."

How the Trojan Spreads

FireEye has not identified any of the banking institutions or payments providers whose apps have been targeted by Slembunk. But it has offered details about how the Trojan spreads.

Like many other types of malware, the latest versions of SlemBunk are primarily distributed through drive-by downloads, such as from pornography websites. In many cases, users are prompted to download a fake Adobe Flash update that is malicious, FireEye notes.

In its Jan. 13 blog about additional concerns linked to SlemBunk, FireEye points out that configurable network computing servers also are being used to wage SlemBunk attacks - an additional layer of the attack chain FireEye did not identify during its first analysis.

"Our additional research also identified the URLs of a few CnC [command and control] servers for this campaign," FireEye writes in its blog. "We looked into the communication protocol between the SlemBunk apps and the CnC server by studying relevant code and monitoring the exchanged messages. It reveals that SlemBunk is developing into a more organized campaign with highly customized CnC servers, including the use of what appears to be an administration panel to manage the campaigns. The registration records of the relevant domains suggest that this campaign activity is very recent, still ongoing, and possibly evolving into different forms."

What's more, FireEye says this combined use of drive-by download distribution and CnC server communication suggests that the SlemBunk campaign is well-organized and continues to evolve.

"The administrative interface hosted on the CnC server implies that the CnC server is customizable and that the SlemBunk payload can easily adapt per the attacker's specifications," FireEye says. "Second, the timeline information for the domains associated with this attack showed that this campaign is very recent, still ongoing and very likely to continue evolving into different forms."

"iSIGHT Partners has documented a number of Android malware families and, while we have not specifically identified the Trojan that FireEye terms 'SlemBunk,' we believe it is related to a series of Android malware authored by GanjaMan," the company says. "SlemBunk shares similarities in functionality to several malware types developed by this actor."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;